As some people may know, I'm a member of the Debian
testing security team. As well as tracking
all CVE IDs with which packages they affect, we also keep a list of known
embedded code copies. Embedded code copies are a
bad thing, as they cause no end of problems for the security teams.
One of the problems we've had to find a solution for is:
How do we know what statically compiles against a library, or even worse, ships it's own copy?
So, we're looking for something that looks a particular set of bytes in arbitary executeables; a signature of the library if you will. And we do have a rather good tool that can be used to scanning for binary signatures: clamav :)
Step 1
Create a clamav signature
Clamav have a nice
guide on how to create signatures on their site. The method I use is fairly simple: find a unique binary string and pass it to
sigtool --hex-dump and place it in a nbd file.
Step 2
Scan the archive
for I in `find /mirror/debian/pool/ -name *all.deb`; do
clamscan -i -d smarty.ndb --deb --tempdir=/home/maulkin --no-summary \
--max-space=1024m --stdout $I >> /home/maulkin/smarty.log;
done;
Step 3
???
Step 4
PROFIT!!!
While I'm talking about testing security, we're all rather busy at the moment in the team, so we could do with some help! If you fancy helping, have a quick read of the
intro and come onto #debian-security on irc.debian.org and say hi!
